Until fairly recently, wireless networks were configured to only support wireless devices that were pre-approved by a network administrator. Typically, this required an incoming guest to register her wireless device (e.g., laptop computer) with the network administrator. This was problematic because the normal registration process was quite labor intensive from an IT perspective and, in many cases, caused new guests to wait an unreasonable amount of time before a network administrator could register her laptop computer.
At that time, for device registration, the network administrator manually uploaded either the unique media access control (MAC) address of the laptop computer or its newly assigned identifier into a database. Tasked with the responsibility of controlling access to the wireless network, an authentication server accessed the database whenever a wireless device sought access to the wireless network. If the wireless device was registered, it was granted access to the wireless network. Otherwise, access was denied.
Recently, however, wireless networks are being adapted to support “Bring-Your-Own-Device” (BYOD) environments, where all users are able to access a targeted wireless network through their personal devices, such as laptop computers, tablets, or smartphones for example. As a result, the number of devices per network user has grown from a one-to-one relationship to a one-to-many relationship as a network user may simultaneously or interchangeably connect to a network using multiple devices.
Granting enterprise access to personal devices has direct implications on security and network control. Security challenges range from understanding who and what is connected to the network to keeping the network malware-free, including proper enforcement and compliance with access policies.
Currently, in supporting a BYOD networking environment, secure access to the network is provisioned through an authentication scheme that involves an exchange of digital certificates. However, certain types of wireless devices, most notably Android® based smartphones, are not suited for this type of authentication scheme. The reason is that Android® based smartphones appear to automatically accept any issued digital certificates, without issuing a request for user acceptance before releasing information pertaining to the smartphone. Thus, this device is susceptible to “man-in-the-middle” attacks, which can reduce the security of the network as a whole.
A method of provisioning unique device credentials in a universal manner for all device types or capabilities is strongly needed.